'How to solve Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account
I've been trying to create a public cloud run invoker policy and bind that to my cb_app cloud run service so that it can be exposed. I've created a custom service and assigned it cloud admin role. But getting this error
Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).
Here are the configs
resource "google_cloud_run_service_iam_member" "domain" {
service = google_cloud_run_service.cb_app.name
location = google_cloud_run_service.cb_app.location
role = "roles/run.admin"
member = "serviceAccount:${var.service_account}"
}
#create service account to run service
resource "google_service_account" "cb_app" {
account_id = "app-worker"
display_name = "app worker"
}
And in app service, I have this
spec {
# Use locked down Service Account
service_account_name = google_service_account.cb_app.email
Any ideas on how to solve this?
Solution 1:[1]
When you create a resoure such as Cloud Run, you have the option to attach a service account to the resource.
The following error means that the identity (user or service account) that Terraform is using does not have permission to attach the service account to the resource.
Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).
The solution is to add the role roles/iam.serviceAccountUser to the identity that Terraform is running under. You do not specify the identity in your question. The identity could be a user account or a service account. Go to the Google Cloud Console -> IAM. Find the identity and add the role.
You can also use the CLI gcloud. The exact command arguments depend on the identity type.
For a user account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/iam.serviceAccountUser'
For a service account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='serviceAccount:myserviceaccount@PROJECT_ID.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
The above commands use Linux syntax. For Windows replace \ with ^
Solution 2:[2]
Possible solution to this issue if you're encountering it while applying Terraform in Google Cloud Shell.
I also encountered a very similar error:
Error: googleapi: Error 403: Missing necessary permission enter code hereiam.serviceAccounts.actAs for $MEMBER
on the service account [email protected].
Grant the role 'roles/iam.serviceAccountUser' to $MEMBER on the service
account [email protected].
You can do that by running 'gcloud iam service-accounts
add-iam-policy-binding [email protected] --member=$MEMBER
--role=roles/iam.serviceAccountUser'.
In case the member is a service account please use the prefix 'serviceAccount:' instead of 'user:'.
I think this error message is deceptive/misleading.
My solution:
- was not to give the "Service Account User" role to [email protected]
- was not to give the "Service Account User" role to the Terrform deployment service account.
- was to give the "Service Account User" role to my own personal GCP account.
It seems like Cloud Shell uses a mixture of authorisation accounts when applying Terraform. In some cases it uses the service account defined in the provider and at other times it uses your own GCP OAuth account.
Solution 3:[3]
I ran this code:
gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
and it worked for me.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | John Hanley |
| Solution 2 | |
| Solution 3 | Ethan |